Migrating to a new Active Directory, testing it out

pedrotor · ‎06-26-2023

Hello all,

We are moving to a new AD that our parent company has, new.com.

We currently use directory sync with old.com. I understand that we have to remove old com and ensure that we have the same variables in new com so that new com AD will take over management.

What I’m not clear on is if we can test side by side? Ideally I would like to setup a user that doesn’t exist on old com in new com and sync only that user. Have old com as a suffix on new com. Then test out our existing applications. We intend to keep old.com as the main mail attribute for users on the new com domain. We currently use the mail attribute so we would just set that to testuser@old com.

Does that logic make sense? We aren’t so worries about the AD migration so much as we are worried about losing the ability to pass old com to 100+ applications for SSO/2FA.

Maybe I’m wrong on all this, would love some input. Thank you!

DuoKristina · ‎07-06-2023

Yes, you can set up an additional AD sync to new.com domain that coexists with the old.com sync.

The only catch is that the new.com sync can’t manage any users or groups that would cause a naming conflict with old.com users or groups.

So, if you test with a new and unique new.com user and group, that doesn’t also exist in old.com, you should be fine.

Duo, not DUO.